Application: PEAR XML_RPC <= 1.3.3 Severity: A malformed XMLRPC request can result in execution of arbitrary injected PHP code Risk: CriticalVendor Status: Vendor has released an updated version References: http://www.hardened-php.net/advisory_142005.66.html

Overview:

PEAR XML_RPC is the PEAR-ified version of Useful Inc's XML-RPC for PHP, which is a PHP implementation of the XML-RPC protocol. It has support for HTTP transport, proxies and authentication.

After Gulftech released their PHP code injection advisory in the end of June 2005 we sheduled the code for an audit from our side. Unfortunately we were able to find another vulnerability in the XML-RPC libraries that allows injection of arbitrary PHP code into eval() statements.

Unlike the last vulnerability this is not caused by wrongly implemented escaping of the user input, but by an improper handling of XMLRPC requests and responses that are malformed in a certain way.

To get rid of this and future eval() injection vulnerabilities, the Hardened-PHP Project has developed together with the maintainers of both libraries a fix that completely eliminates the use of eval() from the library.

Details:

When the library parses XMLRPC requests/repsonses, it constructs a string of PHP code, that is later evaluated. This means any failure to properly handle the construction of this string can result in arbitrary execution of PHP code.

In late June a problem was discovered, that certain XML tags where using single quotes around embedded user input and single quotes where not escaped. This allowed a typical injection attack. While all these escaping problems were believed to be fixed, I was able to find another problems, that allows injection of arbitrary code.

This new injection vulnerability is cause by not properly handling the situation, when certain XML tags are nested in the parsed document, that were never meant to be nested at all. This can be easily exploited in a way, that user-input is placed outside of string delimiters within the evaluation string, which obviously results in arbitrary code execution.

Therefore we have added a XML tag nesting verification into the code and additionally removed all call to eval(). Therefore the resulting patch eliminates the current and the possibility for future eval() holes. Additionally this means from the diff between a vulnerable and a not vulnerable version it is not possible to find the position of the flaw easily.

CVE Information:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2005-2498 to this vulnerability.

Proof of Concept:

The Hardened-PHP Project is not going to release an exploit for this vulnerability to the public.

Disclosure Timeline:

22. July 2005 - Contact with both library vendors established. Issue is discussed and a patch that eliminates the use of eval() is developed, improved and tested. 12. August 2005 - Affected applications are contacted and asked for beta test of the patches. 14. August 2005 - Vendors release bugfixed versions, after information about this vulnerability leaked through one of the affected applications to the public. 15. August 2005 - Public disclosure

Recommendation:

We strongly recommend to upgrade to the vendor supplied new version, that completely eliminates all calls to eval().

PEAR XML_RPC 1.4.0 http://pear.php.net/get/XML_RPC-1.4.0.tgz

You can also upgrade XML_RPC with the pear commandline client, but because this uses a XML_RPC connection to retrieve the data it is not recommended.